How to mount additional /dev devices like pts(4)?

[0mp]

I am wondering what's the potonic way to allow more devices like pts(4) to a pot?

As a test case, I'd like to be able to execute a command like this:

$ echo 1 > /dev/pts/1
1

A more real world use case would be being able to import password-protected secret keys with gpg in a jail. At the moment I'm getting the following errors:

$ sudo jexec mail gpg --import /tmp/sec.gpg
gpg: key CBB06A1D5C5E1CEA: "A B <ab@example.org>" not changed
gpg: key CBB06A1D5C5E1CEA/CBB06A1D5C5E1CEA: error sending to agent: End of file
gpg: error building skey array: End of file
gpg: error reading '/tmp/sec.gpg': End of file
gpg: import from '/tmp/sec.gpg' failed: End of file
gpg: Total number processed: 0
gpg:              unchanged: 1
gpg:       secret keys read: 1

---

PS A workaround for those errors is to specify --pinentry-mode loopback to the gpg command.

[pizzamig]

the easy question has a complicated answer.
jail(8) mount a different version of devfs(5), to limit hardware access.
We don't support yet a custom devfs(5) (it would be the devfs_ruleset jail parameter).
However, pseudoterminal are already visible in your pot, but if pts/1 is in your host, so it's not visible in a jail, but other numbers are available.
For instance, in a couple of pot I have up and running, I see /dev/pts/2 in one and /dev/pts/4 in another one.
I'll try to debug the issue with gpg, but I suspect it's related to posix_openpt(2)

[pizzamig]

For the gpg usage in jail, it seems that pinentry-tty is crashing in a jail (not limited to pot) when you import a key.
pinentry-tty itself is fine, if I call it from command line it just works. When executed by the gpg-agent it segve (signal 11, no core dump generated).
It seems that, as reported here, the only way to have it up and running is the loopback mode you already mentioned

[0mp]

Makes sense. Thanks!

[0mp]

A quick update: it looks like I can do

$ echo 1 > /dev/pts/1
1

now in a jail after running devfs -m /opt/pot/jails/gpg/m/dev rule -s 4 applyset. I've not tested whether pinentry-tty work now.

References:

• https://stackoverflow.com/a/3681807

[pizzamig]

What your command is doing is mounting again devfs in your jail.
The echo command always worked here, if not pts/1, another number would do.
devfs is always mounted directly by the jail command. I doubt pinentry-tty will work.
After pot start yourpot you can verify if devfs is mounted using mount -t devfs

[0mp]

What your command is doing is mounting again devfs in your jail.

I am not sure if that is true. I do not mount it again. I just apply another rule set which allows more devices to be exposed in the jail.

The echo command always worked here, if not pts/1, another number would do.
devfs is always mounted directly by the jail command.

This is true, but the default devfs rule set is not permissive enough for GnuPG to work properly.

I doubt pinentry-tty will work.

It actually does work! I just successfully sent a signed email with mutt after being asked by the gpg agent to provide the passphrase.

For future reference, I am using the following configuration of pgp_sign_command in my GPG rc file:

set pgp_sign_command="gpg --pinentry loopback --no-verbose --quiet --output - %?p?--passphrase-fd 0? --armor --detach-sign --textmode %?a?-u %a? %f"

Thanks a lot, @pizzamig!